A company is developing an application in the AWS Cloud. The application's HTTP API contains critical information that is published in Amazon API Gateway. The critical information must be accessible from only a limited set of trusted IP addresses that belong to the company's internal network.
Which solution will meet these requirements?
A. Set up an API Gateway private integration to restrict access to a predefined set of IP addresses. B. Create a resource policy for the API that denies access to any IP address that is not specifically allowed. C. Directly deploy the API in a private subnet. Create a network ACL. Set up rules to allow the traffic from specific IP addresses. D. Modify the security group that is attached to API Gateway to allow inbound traffic from only the trusted IP addresses.
B. Create a resource policy for the API that denies access to any IP address that is not specifically allowed.
Explanation
Question 862:
A company has an organization in AWS Organizations that has all features enabled. The company requires that all API calls and logins in any existing or new AWS account must be audited. The company needs a managed solution to prevent additional work and to minimize costs. The company also needs to know when any AWS account is not compliant with the AWS Foundational Security Best Practices (FSBP) standard.
Which solution will meet these requirements with the LEAST operational overhead?
A. Deploy an AWS Control Tower environment in the Organizations management account. Enable AWS Security Hub and AWS Control Tower Account Factory in the environment. B. Deploy an AWS Control Tower environment in a dedicated Organizations member account. Enable AWS Security Hub and AWS Control Tower Account Factory in the environment. C. Use AWS Managed Services (AMS) Accelerate to build a multi-account landing zone (MALZ). Submit an RFC to self-service provision Amazon GuardDuty in the MALZ. D. Use AWS Managed Services (AMS) Accelerate to build a multi-account landing zone (MALZ). Submit an RFC to self-service provision AWS Security Hub in the MALZ.
A. Deploy an AWS Control Tower environment in the Organizations management account. Enable AWS Security Hub and AWS Control Tower Account Factory in the environment.
Question 863:
A company has an API that receives real-time data from a fleet of monitoring devices. The API stores this data in an Amazon RDS DB instance for later analysis. The amount of data that the monitoring devices send to the API fluctuates. During periods of heavy traffic, the API often returns timeout errors. After an inspection of the logs, the company determines that the database is not capable of processing the volume of write traffic that comes from the API. A solutions architect must minimize the number of connections to the database and must ensure that data is not lost during periods of heavy traffic.
Which solution will meet these requirements?
A. Increase the size of the DB instance to an instance type that has more available memory. B. Modify the DB instance to be a Multi-AZ DB instance. Configure the application to write to all active RDS DB instances. C. Modify the API to write incoming data to an Amazon Simple Queue Service (Amazon SQS) queue. Use an AWS Lambda function that Amazon SQS invokes to write data from the queue to the database. D. Modify the API to write incoming data to an Amazon Simple Notification Service (Amazon SNS) topic. Use an AWS Lambda function that Amazon SNS invokes to write data from the topic to the database.
C. Modify the API to write incoming data to an Amazon Simple Queue Service (Amazon SQS) queue. Use an AWS Lambda function that Amazon SQS invokes to write data from the queue to the database.
Question 864:
A company uses a Microsoft SQL Server database. The company's applications are connected to the database. The company wants to migrate to an Amazon Aurora PostgreSQL database with minimal changes to the application code.
Which combination of steps will meet these requirements? (Choose two.)
A. Use the AWS Schema Conversion Tool (AWS SCT) to rewrite the SQL queries in the applications. B. Enable Babelfish on Aurora PostgreSQL to run the SQL queries from the applications. C. Migrate the database schema and data by using the AWS Schema Conversion Tool (AWS SCT) and AWS Database Migration Service (AWS DMS). D. Use Amazon RDS Proxy to connect the applications to Aurora PostgreSQL. E. Use AWS Database Migration Service (AWS DMS) to rewrite the SQL queries in the applications.
B. Enable Babelfish on Aurora PostgreSQL to run the SQL queries from the applications. C. Migrate the database schema and data by using the AWS Schema Conversion Tool (AWS SCT) and AWS Database Migration Service (AWS DMS).
Question 865:
A company has a web application that uses several web servers that run on Amazon EC2 instances. The instances use a shared Amazon RDS for MySQL database.
The company requires a secure method to store database credentials. The credentials must be automatically rotated every 30 days without affecting application availability.
Which solution will meet these requirements?
A. Store database credentials in AWS Secrets Manager. Create an AWS Lambda function to automatically rotate the credentials. Use Amazon EventBridge to run the Lambda function on a schedule. Grant the necessary IAM permissions to allow the web servers to access Secrets Manager. B. Store database credentials in AWS Systems Manager OpsCenter. Grant the necessary IAM permissions to allow the web servers to access OpsCenter. C. Store database credentials in an Amazon S3 bucket. Create an AWS Lambda function to automatically rotate the credentials. Use Amazon EventBridge to run the Lambda function on a schedule. Grant the necessary IAM permissions to allow the web servers to retrieve credentials from the S3 bucket. D. Store the credentials in a local file on each of the web servers. Use an AWS KMS key to encrypt the credentials. Create a cron job on each server to rotate the credentials every 30 days.
A. Store database credentials in AWS Secrets Manager. Create an AWS Lambda function to automatically rotate the credentials. Use Amazon EventBridge to run the Lambda function on a schedule. Grant the necessary IAM permissions to allow the web servers to access Secrets Manager.
Explanation
AWS Secrets Manager is a fully managed service specifically designed to securely store and automatically rotate database credentials, API keys, and other secrets. Secrets Manager provides built-in integration with Amazon RDS for automatic credential rotation on a configurable schedule without requiring downtime. It also manages the secure distribution of the credentials to authorized services, such as your web servers, using IAM policies. Manual solutions (S3, files, cron jobs) do not provide the same level of automation, audit, or security.
Reference Extract from AWS Documentation /
Study Guide:
" AWS Secrets Manager enables you to rotate, manage, and retrieve database credentials securely. It supports automatic rotation of secrets for supported AWS databases without requiring application downtime. "
Source: AWS Certified Solutions Architect?Official Study Guide, Security and Secrets Management section.
Question 866:
A company is using Amazon DocumentDB global clusters to support an ecommerce application. The application serves customers across multiple AWS Regions. To ensure business continuity, the company needs a solution to minimize downtime during maintenance windows or other disruptions.
Which solution will meet these requirements?
A. Regularly create manual snapshots of the DocumentDB instance in the primary Region. B. Perform a managed failover to a secondary Region when needed. C. Perform a failover to a replica DocumentDB instance within the primary Region. D. Configure increased replication lag to manage cross-Region replication.
B. Perform a managed failover to a secondary Region when needed.
Explanation
Amazon DocumentDB global clusters support managed cross-region failover, allowing you to promote a secondary region to become the new primary with minimal downtime. This ensures business continuity during maintenance or regional disruptions.
References:
" Amazon DocumentDB global clusters support managed cross-Region failover, allowing you to recover quickly from regional disruptions with minimal downtime. "
Source: AWS Certified Solutions Architect?Official Study Guide, DocumentDB and Resiliency section.
Question 867:
A company wants to build a web application on AWS. Client access requests to the website are not predictable and can be idle for a long time. Only customers who have paid a subscription fee can have the ability to sign in and use the web application.
Which combination of steps will meet these requirements MOST cost-effectively? (Choose three.)
A. Create an AWS Lambda function to retrieve user information from Amazon DynamoDB. Create an Amazon API Gateway endpoint to accept RESTful APIs. Send the API calls to the Lambda function. B. Create an Amazon Elastic Container Service (Amazon ECS) service behind an Application Load Balancer to retrieve user information from Amazon RDS. Create an Amazon API Gateway endpoint to accept RESTful APIs. Send the API calls to the Lambda function. C. Create an Amazon Cognito user pool to authenticate users. D. Create an Amazon Cognito identity pool to authenticate users. E. Use AWS Amplify to serve the frontend web content with HTML, CSS, and JS. Use an integrated Amazon CloudFront configuration. F. Use Amazon S3 static web hosting with PHP, CSS, and JS. Use Amazon CloudFront to serve the frontend web content.
A. Create an AWS Lambda function to retrieve user information from Amazon DynamoDB. Create an Amazon API Gateway endpoint to accept RESTful APIs. Send the API calls to the Lambda function. C. Create an Amazon Cognito user pool to authenticate users. E. Use AWS Amplify to serve the frontend web content with HTML, CSS, and JS. Use an integrated Amazon CloudFront configuration.
Question 868:
A solutions architect needs to save a particular automated database snapshot from an Amazon RDS for Microsoft SQL Server DB instance for longer than the maximum number of days.
Which solution will meet these requirements in the MOST operationally efficient way?
A. Create a manual copy of the snapshot. B. Export the contents of the snapshot to an Amazon S3 bucket. C. Change the retention period of the snapshot to 45 days. D. Create a native SQL Server backup. Save the backup to an Amazon S3 bucket.
A. Create a manual copy of the snapshot.
Explanation
Creating a manual copy of the automated snapshot is the most operationally efficient option because it directly meets the requirement--retain a specific snapshot beyond the automated retention window--with the least added process and tooling. In Amazon RDS, automated backups and their snapshots are retained only for the configured backup retention period (up to the service maximum). When that retention period is exceeded, older automated snapshots are removed automatically. However, manual snapshots are retained until you explicitly delete them, so converting (copying) an automated snapshot to a manual snapshot is the standard operational approach to keep a point-in-time backup for long-term retention.
Option C is incorrect because you cannot extend automated snapshot retention beyond the maximum supported retention; also, setting "45 days" may still be within or beyond the service limits depending on the engine and configuration, and it doesn't guarantee indefinite retention.
Option B (export to S3) is not the most operationally efficient for the stated goal: exporting is a different workflow (often used for analytics, archiving in open formats, or cross-tool usage) and introduces extra steps, format considerations, and ongoing management in S3. Option D is also heavier operationally: native SQL Server backups require managing backup jobs, storage layout, restores, and permissions, and it shifts responsibility to the customer for operational correctness.
Therefore, A is the simplest and most AWS-native way to preserve an RDS snapshot long-term with minimal operational overhead.
Question 869:
A media company is migrating a Microsoft Windows-based application to the AWS Cloud. The company uses the application to analyze media files.
The company requires a resilient shared storage solution that the company can access by using the SMB protocol.
Which storage solution will meet these requirements?
A. Use an Amazon S3 bucket to store the media files. Connect the application servers to the bucket. B. Use Amazon FSx for Windows File Server in a Multi-AZ deployment as shared storage for the application servers. C. Use an Amazon EBS volume as shared storage for the application servers. D. Use an Amazon FSx File Gateway as shared storage for the application servers.
B. Use Amazon FSx for Windows File Server in a Multi-AZ deployment as shared storage for the application servers.
Explanation
The correct answer is B because the application is Microsoft Windows-based, requires shared storage, must use the SMB protocol, and needs to be resilient Amazon FSx for Windows File Server. is the AWS managed file storage service built specifically for Windows workloads. It provides native SMB access, integration with Windows environments, and managed shared file storage for multiple application servers.
A Multi-AZ deployment is the key feature that satisfies the resilience requirement. Multi-AZ FSx for Windows File Server stores data synchronously across Availability Zones and can automatically fail over to a standby file server in another Availability Zone if the primary becomes unavailable. This ensures high availability for shared file access and reduces the risk of application disruption.
Option A is incorrect because Amazon S3 is object storage and does not natively provide SMB shared file semantics in the way required by Windows applications.
Option C is incorrect because Amazon EBS volumes are block storage volumes that are generally attached to a single instance and are not the standard solution for resilient multi-instance shared SMB storage.
Option D is incorrect because Amazon FSx File Gateway is used to provide on-premises access to Amazon FSx file systems and is not the primary shared storage service required for this cloud-native application design. AWS storage guidance recommends Amazon FSx for Windows File Server for Windows applications that need managed file shares over SMB. When resilience is required, a Multi-AZ deployment is the most appropriate architecture.
Question 870:
An application is experiencing performance issues based on increased demand. This increased demand is on read-only historical records that are pulled from an Amazon RDS-hosted database with custom views and queries. A solutions architect must improve performance without changing the database structure.
Which approach will improve performance and MINIMIZE management overhead?
A. Deploy Amazon DynamoDB, move all the data, and point to DynamoDB. B. Deploy Amazon ElastiCache (Redis OSS) and cache the data for the application. C. Deploy Memcached on Amazon EC2 and cache the data for the application. D. Deploy Amazon DynamoDB Accelerator (DAX) on Amazon RDS to improve cache performance.
B. Deploy Amazon ElastiCache (Redis OSS) and cache the data for the application.
Explanation
AWS recommends using Amazon ElastiCache as an in-memory caching layer in front of relational databases such as Amazon RDS to offload read traffic and significantly improve performance for read-heavy workloads. ElastiCache (Redis OSS) provides microsecond latency and can cache the results of frequent or expensive queries without requiring any change to the underlying database schema or engine.
This directly addresses the requirement to improve performance without changing the database structure and with minimal operational overhead, because ElastiCache is a fully managed service (patching, failure detection, replacement, etc., are handled by AWS).
Option A (DynamoDB) would require a full data migration and application changes, including schema and query rewrites.
Option C (Memcached on EC2) introduces additional management overhead for EC2 instances (scaling, patching, HA).
Option D (DAX) is a caching layer only for DynamoDB and cannot be used directly with Amazon RDS.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.